Skip to main content
SpringerLink
Log in

Customized Normalcy Profiles for the Detection of Targeted Attacks

  • Conference paper
Applications of Evolutionary Computation (EvoApplications 2012)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 7248))

Included in the following conference series:

  • 2172 Accesses

Abstract

Functionality is the highest semantic level of the software behavior pyramid that reflects goals of the software rather than its specific implementation. Detection of malicious functionalities presents an effective way to detect malware in behavior-based IDS. A technology for mining system call data, discussed herein, results in the detection of functionalities representing operation of legitimate software within a closed network environment. The set of such functionalities combined with the frequencies of their execution constitutes a normalcy profile typical for this environment. Detection of deviations from this normalcy profile, new functionalities and/or changes in the execution frequencies, provides evidence of abnormal activity in the network caused by malware. This approach could be especially valuable for the detection of targeted zero-day attacks. The paper presents the results of the implementation and testing of the described technology on the computer network testbed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Percoco, N., Ilyas, J.: Malware Freakshow 2010., White paper for Black Hat USA (2010)

    Google Scholar 

  2. Falliere, N., Murchu, L., Chien, E.: W32.Stuxnet Dossier. version 1.4. Symantec Security Response (April 2011)

    Google Scholar 

  3. Tokhtabayev, A.G., Skormin, V.A., Dolgikh, A.M.: Expressive, Efficient and Obfuscation Resilient Behavior Based IDS. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 698–715. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  4. Jensen, K.: Coloured Petri nets: basic concepts, analysis methods and practical use, 2nd edn., vol. 1. Springer, Berlin (1996)

    MATH  Google Scholar 

  5. Dolgikh, A., Nykodym, T., Skormin, V., Antonakos, J.: Colored Petri Nets as the Enabling Technology in Intrusion Detection Systems. In: MILCOM 2011, Baltimore, VA (2011)

    Google Scholar 

  6. http://apimon.codeplex.com

  7. Nykodym, T., Skormin, V., Dolgikh, A., Antonakos, J.: Automatic Functionality Detection in Behavior-Based IDS. In: MILCOM 2011, Baltimore, VA (2011)

    Google Scholar 

  8. Melichar, B., Holub, J., Polcar, T.: Text Searching Algorithms. Czech Technical University in Prague Faculty of Electrical Engineering, Department of Computer Science and Engineering (November 2005)

    Google Scholar 

  9. http://offensivecomputing.net/ (accessed in April 2011)

  10. Matrosov, A., Rodionov, E., Harley, D., Malcho, J.: Stuxnet under the microscope. ESET LLC (September 2010)

    Google Scholar 

  11. http://www.virustotal.com/

  12. Kolbitsch, C., Comparetti, P.M., Kruegel, C., Kirda, E., Zhou, X., Wang, X.: Effective and efficient malware detection at the end host. In: Proceedings of the 18th USENIX Security Symposium (Security 2009) (August 2009)

    Google Scholar 

  13. Fredrikson, M., Jha, S., Christodorescu, M., Sailer, R., Yan, X.: Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors. In: 2010 IEEE Symposium on Security and Privacy (2010)

    Google Scholar 

  14. Cavallaro, L., Saxena, P., Sekar, R.: On the Limits of Information Flow Techniques for Malware Analysis and Containment. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 143–163. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  15. Lanzi, A., Christodorescu, M., Balzarotti, D., Kirda, E., Kruegel, C.: AccessMiner: Using System-Centric Models for Malware Protection. In: Proceedings of the 17th ACM CCS

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Binghamton Univeristy, Binghamton, NY, USA

    Victor Skormin, Tomas Nykodym & Andrey Dolgikh

  2. Broome Community College, Binghamton, NY, USA

    James Antonakos

Authors
  1. Victor Skormin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tomas Nykodym
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrey Dolgikh
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. James Antonakos
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Mathematics and Statistics, University of Strathclyde, 16 Richmond Street, G1 1XQ, Glasgow, UK

    Cecilia Di Chio

  2. Financial Mathematics and Computation Cluster Natural Computing Research and Applications Group Complex and Adaptive Systems Laboratory, University College, Dublin, Ireland

    Alexandros Agapitos

  3. Department of Computer Engineering, University of Parma, Viale Usberti 181/a, 43100, Parma, Italy

    Stefano Cagnoni

  4. ETSI Informática, Universidad de Málaga, Campus de Teatinos, 29071, Málaga, Spain

    Carlos Cotta

  5. Centro Universitario de Merida, Universidad de Extremadura, Spain

    Francisco Fernández de Vega

  6. Dalle Molle Institute for Artificial Intelligence (IDSIA), Lugano, Switzerland

    Gianni A. Di Caro

  7. DFKI Bremen, Cyber-Physical Systems, Bremen, Germany

    Rolf Drechsler

  8. Knowledge Engineering Research Group, Aston University, B4 7ET, Aston Triangle, Birmingham, UK

    Anikó Ekárt

  9. Instituto Tecnológico de Informática, Edif. 8G Acceso B, Universidad Politécnica de Valencia, 46022, Valencia, Spain

    Anna I. Esparcia-Alcázar

  10. Next Generation Intelligent Networks Research Center (nexGIN RC), National University of Computer & Emerging Sciences (FAST-NU), Islamabad, Pakistan

    Muddassar Farooq

  11. Department of Computer Science,, University College London, Gower Street, WC1E 6BT, London, UK

    William B. Langdon

  12. Depto. Arquitectura y Tecnologa de Computadores, ETS Ingeiera Informtica, C/Daniel Saucedo Aranda, s/n, 18071, Granada, Spain

    Juan J. Merelo-Guervós

  13. Chair of Algorithm Engineering, Computational Intelligence Group, Dept. of Computer Science, Technische Universität Dortmund, Germany

    Mike Preuss

  14. HTWK Leipzig, Fakultät Elektrotechnik und Informationstechnik, Institut Mess–, Steuerungs– und Regelungstechnik, Postfach 30 11 66, D–04251, Leipzig, Germany

    Hendrik Richter

  15. INESC-ID Lisboa, Rua Alves Redol 9,, 1000-029, Lisboa, Portugal

    Sara Silva

  16. Centre for Informatics and Systems, University of Coimbra, Portugal

    Anabela Simões

  17. Dipartimento di Automatica e Informatica, Politecnico di Torino, Italy

    Giovanni Squillero

  18. Institute of High Performance Computing and Networking, ICAR-CNR, Naples, Italy

    Ernesto Tarantino

  19. Dipartimento di Tecnologie dell’Informazione, Universita’ degli Studi di Milano, Italy

    Andrea G. B. Tettamanzi

  20. IT University of Copenhagen, Rued Langaards Vej 7, 2300, Copenhagen, Denmark

    Julian Togelius

  21. Centre for Emergent Computing, Edinburgh Napier University, Edinburgh,, UK

    Neil Urquhart

  22. Department of Computer Engineering, Istanbul Technical University, 34490, Maslak, Turkey

    A. Åžima Uyar

  23. Center For Computer Games Research, IT University Of Copenhagen, Rued Langgaards Vej 7, 2300, Copenhagen, Denmark

    Georgios N. Yannakakis

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Skormin, V., Nykodym, T., Dolgikh, A., Antonakos, J. (2012). Customized Normalcy Profiles for the Detection of Targeted Attacks. In: Di Chio, C., et al. Applications of Evolutionary Computation. EvoApplications 2012. Lecture Notes in Computer Science, vol 7248. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29178-4_49

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-29178-4_49

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-29177-7

  • Online ISBN: 978-3-642-29178-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation